Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Yesterday Oracle has released a new document "Security Vulnerability Fixing Policy and Process". This is significant as it sets out Oracle's stall on the process that they will use to fix security bugs and release patches. Read this document, it is enlightening. The document covers the critical patch updates, cumulative patches verses one-off patches, and the order of fixing security bugs - there is an example of product and patch release cycles with a diagram. The paper goes on to talk about critical patch update documentation and finally about the process for crediting researchers who find the security bugs. This is where Oracle is clear. If a researcher works with Oracle and does not publish the vulnerability before the fix is available and does not publish exact details of the bugs or exploits or proof of concepts then they will be credited. The paper goes on to justify the reasons for this new stance. Also employees or contractors will not be credited. This paper is worth reading for anyone who wants to understand Oracle's thoughts on fixing security bugs.

PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database,
design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.